diff --git a/proposals/issuerTokens.png b/proposals/issuerTokens.png new file mode 100644 index 0000000..1f4ebdf Binary files /dev/null and b/proposals/issuerTokens.png differ diff --git a/proposals/networkTokens.png b/proposals/networkTokens.png new file mode 100644 index 0000000..0f07879 Binary files /dev/null and b/proposals/networkTokens.png differ diff --git a/proposals/tokenized_cards.html b/proposals/tokenized_cards.html index 7d77562..01d2f57 100644 --- a/proposals/tokenized_cards.html +++ b/proposals/tokenized_cards.html @@ -88,8 +88,17 @@
This specification is a Payment Transaction Message Specification used by the PaymentRequest API - [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards. Merchants should favor tokenized card payment methods over basic card payments. + [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards. Tokenization provides some advantages over traditional card payments - tokenized credentials are often narrowly scoped, for example single-use or merchant/amount/time scoped. Tokenized credentials also help alleviate some concerns about merchant data breaches since the merchant does not have the raw PAN. This provides some additional security for a consumer.
++ This specification covers issuer and network tokens, but does not encompass all types of tokenization. As an example, gateway tokens are not covered by this specification since they often require merchant onboarding with the token provider. Network tokens are tokens (typically single-use) provided by card networks (i.e. Visa/MasterCard/American Express/Discover/etc.). These tokens are a representation of the underlying PAN. With issuer tokens, a provider serves as a card issuer by generating a new card number. This new card number is backed by the original PAN or by another funding source. During charging of these tokens, the provider translates the generated card number back into the original PAN or original funding source. +
+ +The flow of issuer tokens is shown in the diagram below:
+ + +The flow of network tokens is shown in the diagram below:
+The following payment method identifier strings are supported by the Tokenized Card Payment data formats.
-Identifier String | Description |
---|---|
urn:payment-method:tokenized-card-payment:network | Network Tokenized Cards |
urn:payment-method:tokenized-card-payment:issuer | Issuer Tokenized Cards |
- The payment method can be further specified by using the optional supportedTokenTypes
data attribute.
- Payment Mediators will take the supported token types into consideration when presenting Payment Apps to the user.
-
The payment method identifier string for the Tokenized Card Payment method is card-token
.
This section describes payment method specific data that is supplied as part of the data
- argument to the PaymentRequest constructor.
- dictionary TokenizedCardSpecificData { - required sequence<DOMString> supportedTokenTypes; - DOMString? merchantID; + enum TokenCardType { "emv", "issuer" }; + + dictionary TokenCardRequest { + sequence<DOMString> supportedNetworks; + sequence<TokenCardType> supportedTypes; };+
- The TokenizedCardSpecificData
dictionary contains the following fields:
+ The TokenCardRequest
dictionary contains the following fields:
supportedTokenTypes
supportedTokenTypes
specifies which network or issuer token providers you support.
+ supportedNetworks
supportedNetworks
field contains a sequence of identifiers for card networks
+ that the merchant accepts.supportedTypes
supportedTypes
field contains a sequence of token card types that the merchant
+ accepts. Implementations will determine how to match the type values emv
,
+ and issuer
.As an example, you might construct a Payment Request with supported payment methods as follows:
+
+ The supportedNetworks
and supportedTypes
fields are both optional.
+ If neither is provided then any card may be returned. If only supportedNetworks
+ is provided then any card type may be returned provided it matches one of the networks.
+ If only supportedTypes
is provided then a card may be returned from any network
+ provided it matches one of the types. It is expected that supportedTypes will be an evolving list.
+
- var supportedMethods = [{ - supportedMethods: ['urn:payment-method:tokenized-card-payment:issuer'], - data: { - supportedTokenTypes: ['roypay'], - }, - }]; -+
The TokenizedCardResponse
dictionary contains the response from the
- PaymentRequest API when a user accepts payment with a Tokenized Payment Card payment method.
+ The TokenizedCardResponse
dictionary contains the response from the PaymentRequest API when a user accepts payment with a Tokenized Payment Card payment method. The intention is for this to extend from the BasicCardResponse with some additional fields required for tokenization. It should be noted that the "cardSecurityCode" from the BasicCardResponse will contain a card security code for issuer-based tokens, but will contain the cryptogram for network tokens. The combination of cardNumber (the token number) + cardSecurityCode (either cryptogram or security code) establishes a one-time use credential.
+
- dictionary TokenizedCardResponse { - DOMString cardholderName; + dictionary TokenizedCardResponse: BasicCardResponse { required DOMString cardLast4; - DOMString cardType; DOMString tokenType; - required DOMString tokenNumber; - required DOMString expiryMonth; - required DOMString expiryYear; - DOMString tokenCryptogram; DOMString tokenRequesterId; - BillingAddress? billingAddress; };-
The TokenizedCardResponse
dictionary contains the following fields:
cardholderName
cardholderName
field contains the cardholder's name as it appears on the card.cardLast4
cardLast4
field contains the last 4 digits of the original (non-token) primary account number (PAN) for the payment card.cardType
cardType
field contains the type (Visa, Mastercard, etc.) of the original (non-token) payment card.cardLast4
field contains the last 4 digits of the original (non-token) primary account number (PAN) for the payment card. This may be used for display purposes during the purchase.tokenType
tokenType
field contains the type (Network, Issuer) of token.tokenNumber
tokenNumber
field contains the token number for the payment card.expiryMonth
expiryMonth
field contains a two-digit string for the expiry month
- of the token in the range 01
to 12
.expiryYear
expiryYear
field contains a two-digit string for the expiry year
- of the token in the range 00
to 99
.tokenCryptogram
tokenCryptogram
field contains the cryptogram for the token. The cryptogram+token combination establishes a one time use credential. For issuer tokenization, this field should be a CVV.tokenRequesterId
tokenRequesterId
field contains ID of the requester of the token (likely the creator of the payment app). This field is only applicable to network tokenization.